stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/evidence-first-security-with-dsse-envelopes.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.5 KiB
Raw Blame History

Evidence-First Security with DSSE Envelopes

Module

Attestor

Status

VERIFIED

Description

All security findings are wrapped in DSSE envelopes; SmartDiff results are attested as delta verdicts and published to OCI registries.

Implementation Details

  • DSSE Envelope Signing: Multiple signing layers across Attestor:
    • src/Attestor/StellaOps.Attestor.Envelope/EnvelopeSignatureService.cs -- core envelope signing
    • __Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs -- proof chain signing
    • StellaOps.Attestor.Core/Signing/DsseSigningService.cs -- core attestation signing
  • Delta Verdict Attestation: Predicates/DeltaVerdictPredicate.cs -- delta verdict wrapped in DSSE. Statements/DeltaVerdictStatement.cs -- in-toto statement.
  • OCI Publication: src/Attestor/__Libraries/StellaOps.Attestor.Oci/Services/ -- IOciAttestationAttacher.cs, OrasAttestationAttacher.cs -- attaches DSSE-signed attestations to OCI images. ISbomOciPublisher.cs, SbomOciPublisher.cs -- publishes SBOMs to OCI.
  • Trust Verdict OCI: __Libraries/StellaOps.Attestor.TrustVerdict/Oci/TrustVerdictOciAttacher.cs (with .Attach, .FetchList) -- attaches trust verdicts to OCI artifacts.
  • Evidence Predicate: Predicates/EvidencePredicate.cs -- wraps security evidence in attestable predicate.
  • Smart Diff: __Tests/StellaOps.Attestor.Types.Tests/SmartDiffSchemaValidationTests.cs -- validates smart diff schema.
  • Tests: __Tests/StellaOps.Attestor.Oci.Tests/OrasAttestationAttacherTests.cs, SbomOciPublisherTests.cs

E2E Test Plan

  • Wrap a security finding in a DSSE envelope via ProofChainSigner and verify the evidence predicate is signed
  • Create a delta verdict from SmartDiff results and sign it as a DSSE envelope
  • Publish the signed delta verdict to an OCI registry via OrasAttestationAttacher and verify it is attached as a referrer
  • Publish an SBOM to OCI via SbomOciPublisher and verify the DSSE signature is attached
  • Attach a trust verdict to an OCI image via TrustVerdictOciAttacher and verify the referrer list includes it
  • Fetch the list of attestations for an OCI image via TrustVerdictOciAttacher.FetchList and verify all attached attestations are returned
  • Verify a retrieved DSSE envelope from OCI validates correctly

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001